Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd Logo
Upload

Welcome to Scribd!

  • 55 views

    CC7178 Cyber Security Management: Presenter: Kiran Kumar Shah

    Uploaded by

    Manish Sharma
    This document provides an overview of cyber security management and key information security concepts. It discusses the specialized areas of information security including physical, personal, operations, communications and network security. It outlines the communities of interest in information security including the information security, IT, and business communities. The document then explains the core goals of the CIA triangle - confidentiality, integrity and availability. It defines other key concepts such as authentication, authorization, accountability, auditing, and the McCumber cube model for evaluating security systems. Finally, it covers the six principles of an information security management system - planning, protection, policy, project, program, and people.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd

    CC7178 Cyber Security Management: Presenter: Kiran Kumar Shah

    Uploaded by

    Manish Sharma
    55 views20 pages
    This document provides an overview of cyber security management and key information security concepts. It discusses the specialized areas of information security including physical, personal, operations, communications and network security. It outlines the communities of interest in information security including the information security, IT, and business communities. The document then explains the core goals of the CIA triangle - confidentiality, integrity and availability. It defines other key concepts such as authentication, authorization, accountability, auditing, and the McCumber cube model for evaluating security systems. Finally, it covers the six principles of an information security management system - planning, protection, policy, project, program, and people.

    Original Description:

    Original Title

    Presentation1-Lecture 1 Week 1

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document provides an overview of cyber security management and key information security concepts. It discusses the specialized areas of information security including physical, personal, operations, communications and network security. It outlines the communities of interest in information security including the information security, IT, and business communities. The document then explains the core goals of the CIA triangle - confidentiality, integrity and availability. It defines other key concepts such as authentication, authorization, accountability, auditing, and the McCumber cube model for evaluating security systems. Finally, it covers the six principles of an information security management system - planning, protection, policy, project, program, and people.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Download as pptx, pdf, or txt
    55 views20 pages

    CC7178 Cyber Security Management: Presenter: Kiran Kumar Shah

    Uploaded by

    Manish Sharma
    This document provides an overview of cyber security management and key information security concepts. It discusses the specialized areas of information security including physical, personal, operations, communications and network security. It outlines the communities of interest in information security including the information security, IT, and business communities. The document then explains the core goals of the CIA triangle - confidentiality, integrity and availability. It defines other key concepts such as authentication, authorization, accountability, auditing, and the McCumber cube model for evaluating security systems. Finally, it covers the six principles of an information security management system - planning, protection, policy, project, program, and people.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Download as pptx, pdf, or txt
    of 20

    CC7178

    Cyber Security Management

    Lecture 1

    Presenter : Kiran Kumar Shah


    Security: from Latin sēcūrus

    Specialized Areas of Information Security


    • Physical Security (Biometrics, Fence, CCTV)
    • Personal Security (Evacuation Plan, Floor Warden)
    • Operations Security(BCP plan)
    • Communications Security (Encryption)
    • Network Security (Firewall, IDS, IPS)
    Communities of Interest in Information
    Security
    • InfoSec Community: protect information assets from threats.
    (Information security Managers, CISO)

    • IT Community: support business objectives by supplying


    appropriate information technology.(CTO, IT head

    • Business Community: policy development and provision of


    resources.(Top Management, Department Heads)
    Information Security
    infoSec is design and implementation of security mechanism
    that includes information security, computer security,
    communication security, and network security.
    CIA Triangle
    • The C.I.A. triangle is made up of:
    – Confidentiality
    – Integrity
    – Availability

    • Confidentiality, Integrity, Availability are core goal of information


    security.
    • Security controls are typically evaluated on how well they address these
    three core information security goals.(poor firewall) as well as different
    types of attack(ransomware, social engineering, parliament disolvement)

    InfoSec is all about protecting data.Data is usually in following state: In transmission, In


    Process/use, In Storage. CIA is needed in all these states.
    Key Concepts of Information Security
    • Confidentiality
    Protecting data from unauthorize access, use, disclosure

    Attacks: capturing network traffic and stealing password files or human error like leaving terminal
    open

    Security Controls: encryption, access controls(only those with sufficient privileges may
    access certain information.

    Privacy (Related to Confidentiality)

     Layman terms: Disclosure causing embarrassment.


     Infosec terms: information is to be used only for purposes known to the data owner not disclosed to
    public. In other words Privacy is amount of control exerted on sensitive information.
    Key Concepts of Information Security
    Cont..
    Integrity
     Integrity is to prevent data from unauthorize modification intentionally or non-
    intentionally.
     Integrity is the quality or state of being whole, complete, and uncorrupted.
     Attacks :viruses, unauthorized access,. Human Error like modifying or deleting files;
    entering invalid data
     Control include: strict access control, input/function checks
    Key Concepts of Information Security
    Cont..
    Availability
    Availability is making information accessible to authorized user timely and without interference or
    obstruction.

    Threats: include device failure, and environmental issues (heat, static, flooding, power loss, and so on);
    including DoS attacks,

    Countermeasures: monitoring performance and network traffic(SNMP), using firewalls and routers to
    prevent DoS attacks, Redundancy.

    Priority of Security goals depends upon organization. Government and Military organization vs
    Private(Availability).
    Key Concepts of Information Security
    (IAAA of CIA)
    Authentication and Identification
     Identity is claim about the who the user is without proof. It should be always unique
     Providing an identity username; swiping a smart card; or positioning your face,
    hand, or finger for a camera or scanning

     Authentication is verifying whether claim identity is valid or not. Sometime requires


    additional information(password,pins) or identification is handled by another
    means, such as physical location

     single two step process. Providing an identity is the first step, and providing
    theauthentication factors is the second step
    Key Concepts of Information Security
    (AAA of CIA)
    Authorization
    Actions that authorized person are allowed to perform and object that
    user can access once user have been identified and authenticated.
    system evaluates an access control matrix
    that compares the subject, the object, and the intended activity
    Principle of Least privilege.

    Privilege Escalation Attack.


    Key Concepts of Information Security
    (AAA of CIA)
    Accountability
    Hold user accountable for their action via log files.
    Depends upon strong authentication that provides assurance that every
    activity undertaken can be attributed to a named person or automated
    process. E.g: Password Sharing.

    Passwords Vs. Multifactor Authentication


    Key Concepts of Information Security
    (IAAA of CIA)
    Auditing(Related Concept to Accountability)
    Auditing
    actions are tracked and recorded for the purpose of holding the subject
    accountable for their actions written to log which provides audit trail(history
    of event)
    Auditing is needed to detect malicious actions and system failures and to
    reconstruct events, provide evidence for prosecution, and produce problem
    reports and analysis.
    • John McCumber , 1991 knows as McCumber Cube
    • Widely accepted standard for evaluation of security of information system
    • CNSS (Committee on National Security Systems is a three-dimensional security model
    Types of Planning:
    1. Strategic Planning- (5 years Plan)
    2. Tactical Planning- (1-2 years)
    3. Operational Plans- (Normal business)

    Tactical and Operation plan will change frequently


    but not strategic planning
    Principles of Information
    Security Management System
    The extended characteristics/component of
    information security are known as the six
    Ps:
    – Planning
    – Protection
    - Policy
    - Project
    - Program
    - People
    Principles of Information
    Security Management
    Protection

     Risk management activities, including risk identification,risk assessment


    and risk control
     Finding Weakness and Strengthening.
    Principles of Information
    Security Management
    Policy
    the set of organizational guidelines that dictates certain action within the
    organization. Acceptable use policy

    In InfoSec, there are three general


    categories of policy:
     General program policy (Enterprise Information Security
    Policy(EISP)){overall security, Roles and responsibility}
     An Issue-Specific Security Policy (ISSP){technology=email, internet}
     System-Specific Policies (SSP) {standards or procedures/checklist}
    Principles of Information
    Security Management
    Project Management

     Project is task of temporary nature, start and finish, goal.


     You have to implement any control measure as project, you are
    implementing IDS, or carrying out any security program.
     Includes, planning, collecting resources, implement, controlling and
    optimizing
    Principles of Information
    Security Management
    Program
    oversees a group of individual projects linked together through a shared
    organizational goal
    - Start with development security policy, implementing those controls
    measures(like information security training), training assessment, re-training.
    Principles of Information
    Security Management
    People
    People are the most critical link in the InfoSec program. You need to protect them and protect yourself from them.

    You might also like